Cloud Next Generation Firewall intrusion prevention service continuously monitors your Google Cloud workload traffic for any malicious activity and takes preemptive actions to prevent it. The malicious activity can include threats such as intrusions, malware, spyware, and command-and-control attacks on your network.
Cloud NGFW intrusion prevention service works by creating Google-managed zonal firewall endpoints that use packet intercept technology to transparently inspect the workloads for the configured threat signatures and protect them against threats. These threat prevention capabilities are powered by Palo Alto Networks threat prevention technologies.
Intrusion prevention service is offered as part of Cloud Next Generation Firewall Enterprise capabilities. For more information, see Cloud NGFW Enterprise and Cloud NGFW pricing.
This document provides a high-level overview of the various Cloud NGFW intrusion prevention service components and how these components provide advanced protection capabilities for your Google Cloud workloads in Virtual Private Cloud (VPC) networks.
How intrusion prevention service works
Intrusion prevention service processes the traffic in the following sequence:
Firewall policy rules are applied to the traffic to and from the virtual machine (VM) instances or Google Kubernetes Engine (GKE) clusters, in the network.
The matched traffic is intercepted, and the packets are sent to the firewall endpoint for Layer 7 inspection.
The firewall endpoint scans the packets for configured threat signatures.
If a threat is detected, the action configured in the security profile is performed on that packet.
Figure 1 describes a simplified deployment model of intrusion prevention service.
The rest of the section explains the components and configurations required to set up intrusion prevention service.
Security profiles and security profile groups
Cloud NGFW references security profiles and security profile groups to implement deep packet inspection for threat prevention service.
Security profiles are generic policy structures that are used in intrusion prevention service to override specific threat prevention scenarios. To configure intrusion prevention service, you define a security profile of type
threat-prevention. To learn more about security profiles, see Security profile overview.Security profile groups contain a security profile of type
threat prevention. To configure intrusion prevention service, firewall policy rules reference these security profile groups to enable threat detection and prevention for network traffic. To learn more about security profile groups, see Security profile group overview.
Firewall endpoint
A firewall endpoint is an organization-level resource created in a specific zone that can inspect traffic in the same zone.
For intrusion prevention service, the firewall endpoint scans the
intercepted traffic for any threats. If a threat is detected, an action
associated with the threat is performed on that packet. This action can be a
default action, or an action (if configured) in the threat-prevention security profile.
To learn more about firewall endpoints and how to configure them, see Firewall endpoint overview.
Firewall policies
Firewall policies apply directly to all traffic moving in and out of the VM. You can use hierarchical firewall policies and global network firewall policies to configure firewall policy rules with Layer 7 inspection.
Firewall policy rules
Firewall policy rules enable you to control the type of traffic to be intercepted and inspected. To configure the intrusion prevention service, create a firewall policy rule to do the following:
Identify the type of traffic to be inspected by using multiple Layer 3 and Layer 4 firewall policy rule components.
For the matched traffic, specify the security profile group name for the
apply_security_profile_groupaction.
For the complete intrusion prevention service workflow, see Configure intrusion prevention service.
You can also use secure tags in firewall rules to configure intrusion prevention service. You can build on any segmentation that you have set up by using tags in your network, and enhance the traffic inspection logic to include threat prevention service.
Inspect encrypted traffic
Cloud NGFW supports Transport Layer Security (TLS) interception and decryption to inspect selected encrypted traffic for threats. TLS lets you inspect both inbound and outbound connections, including traffic to and from the internet and traffic within Google Cloud.
To learn more about TLS inspection in Cloud NGFW, see TLS inspection overview.
To learn how to enable TLS inspection in Cloud NGFW, see Set up TLS inspection.
Threat signatures
Cloud NGFW threat detection and prevention capabilities are powered by Palo Alto Networks threat prevention technologies. Cloud NGFW supports a default set of threat signatures with predefined severity levels to help protect your network. You can also override the default actions associated with these threat signatures by using security profiles.
To learn more about threat signatures, see Threat signatures overview.
To view the threats detected in your network, see View threats.
Limitations
Cloud NGFW does not support jumbo frame maximum transmission unit (MTU).
Firewall endpoints ignore X-Forwarded-For (XFF) headers. Therefore, these headers are not included in the Firewall Rules Logging.